diff --git a/docs/provider-akeyless.md b/docs/provider-akeyless.md index 1843868dd..2c2f4bea6 100644 --- a/docs/provider-akeyless.md +++ b/docs/provider-akeyless.md @@ -40,7 +40,7 @@ Be sure the `akeyless` provider is listed in the `Kind=SecretStore` and the `ake ```yaml {% include 'akeyless-secret-store.yaml' %} ``` - +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `accessID`, `accessType` and `accessTypeParam` with the namespaces where the secrets reside. ### Creating external secret To get a secret from Akeyless and secret it on the Kubernetes cluster, a `Kind=ExternalSecret` is needed. @@ -49,6 +49,7 @@ To get a secret from Akeyless and secret it on the Kubernetes cluster, a `Kind=E {% include 'akeyless-external-secret.yaml' %} ``` + #### Using DataFrom DataFrom can be used to get a secret as a JSON string and attempt to parse it. diff --git a/docs/provider-aws-parameter-store.md b/docs/provider-aws-parameter-store.md index 0eefe34c0..c15a643b6 100644 --- a/docs/provider-aws-parameter-store.md +++ b/docs/provider-aws-parameter-store.md @@ -11,6 +11,7 @@ way users of the `SecretStore` can only access the secrets necessary. ``` yaml {% include 'aws-parameter-store.yaml' %} ``` +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `accessKeyIDSecretRef` and `secretAccessKeySecretRef` with the namespaces where the secrets reside. !!! warning "API Pricing & Throttling" The SSM Parameter Store API is charged by throughput and diff --git a/docs/provider-aws-secrets-manager.md b/docs/provider-aws-secrets-manager.md index 8fc352fff..fd536eebe 100644 --- a/docs/provider-aws-secrets-manager.md +++ b/docs/provider-aws-secrets-manager.md @@ -11,7 +11,7 @@ way users of the `SecretStore` can only access the secrets necessary. ``` yaml {% include 'aws-sm-store.yaml' %} ``` - +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `accessKeyIDSecretRef` and `secretAccessKeySecretRef` with the namespaces where the secrets reside. ### IAM Policy Create a IAM Policy to pin down access to secrets matching `dev-*`. diff --git a/docs/provider-azure-key-vault.md b/docs/provider-azure-key-vault.md index 62b7a4f9a..c8fd1b9b2 100644 --- a/docs/provider-azure-key-vault.md +++ b/docs/provider-azure-key-vault.md @@ -31,6 +31,7 @@ Be sure the `azurekv` provider is listed in the `Kind=SecretStore` ```yaml {% include 'azkv-secret-store.yaml' %} ``` +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `clientId` and `clientSecret` with the namespaces where the secrets reside. Or in case of Managed Idenetity authentication: diff --git a/docs/provider-gitlab-project-variables.md b/docs/provider-gitlab-project-variables.md index 1e3bcde69..2309c3e25 100644 --- a/docs/provider-gitlab-project-variables.md +++ b/docs/provider-gitlab-project-variables.md @@ -27,6 +27,7 @@ Be sure the `gitlab` provider is listed in the `Kind=SecretStore` and the Projec ```yaml {% include 'gitlab-secret-store.yaml' %} ``` +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `accessToken` with the namespace where the secret resides. Your project ID can be found on your project's page. ![projectID](./pictures/screenshot_gitlab_projectID.png) diff --git a/docs/provider-google-secrets-manager.md b/docs/provider-google-secrets-manager.md index 5b69571b7..801530ac4 100644 --- a/docs/provider-google-secrets-manager.md +++ b/docs/provider-google-secrets-manager.md @@ -84,7 +84,6 @@ You can use [GCP Service Account](https://cloud.google.com/iam/docs/service-acco {% include 'gcpsm-credentials-secret.yaml' %} ``` -**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `SecretAccessKeyRef` with the namespace of the secret that we just created. #### Update secret store Be sure the `gcpsm` provider is listed in the `Kind=SecretStore` @@ -93,6 +92,8 @@ Be sure the `gcpsm` provider is listed in the `Kind=SecretStore` {% include 'gcpsm-secret-store.yaml' %} ``` +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `SecretAccessKeyRef` with the namespace of the secret that we just created. + #### Creating external secret To create a kubernetes secret from the GCP Secret Manager secret a `Kind=ExternalSecret` is needed. diff --git a/docs/provider-hashicorp-vault.md b/docs/provider-hashicorp-vault.md index 97957363b..b9d871ffd 100644 --- a/docs/provider-hashicorp-vault.md +++ b/docs/provider-hashicorp-vault.md @@ -26,7 +26,6 @@ spec: # https://www.vaultproject.io/docs/auth/token tokenSecretRef: name: "vault-token" - namespace: "default" key: "token" --- apiVersion: v1 @@ -36,6 +35,7 @@ metadata: data: token: cm9vdA== # "root" ``` +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `tokenSecretRef` with the namespace of the secret that we just created. Then create a simple k/v pair at path `secret/foo`: @@ -92,6 +92,7 @@ A static token is stored in a `Kind=Secret` and is used to authenticate with vau ```yaml {% include 'vault-token-store.yaml' %} ``` +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `tokenSecretRef` with the namespace where the secret resides. #### AppRole authentication example @@ -101,6 +102,7 @@ A static token is stored in a `Kind=Secret` and is used to authenticate with vau ```yaml {% include 'vault-approle-store.yaml' %} ``` +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `secretRef` with the namespace where the secret resides. #### Kubernetes authentication @@ -115,6 +117,7 @@ options of optaining credentials for vault: ```yaml {% include 'vault-kubernetes-store.yaml' %} ``` +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `serviceAccountRef` or in `secretRef`, if used. #### LDAP authentication @@ -126,6 +129,7 @@ in a `Kind=Secret` referenced by the `secretRef`. ```yaml {% include 'vault-ldap-store.yaml' %} ``` +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `secretRef` with the namespace where the secret resides. #### JWT/OIDC authentication @@ -137,6 +141,7 @@ or `Kind=ClusterSecretStore` resource. ```yaml {% include 'vault-jwt-store.yaml' %} ``` +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `secretRef` with the namespace where the secret resides. ### Vault Enterprise and Eventual Consistency diff --git a/docs/provider-ibm-secrets-manager.md b/docs/provider-ibm-secrets-manager.md index e25ab0de3..68deeae09 100644 --- a/docs/provider-ibm-secrets-manager.md +++ b/docs/provider-ibm-secrets-manager.md @@ -40,6 +40,7 @@ Be sure the `ibm` provider is listed in the `Kind=SecretStore` ```yaml {% include 'ibm-secret-store.yaml' %} ``` +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `secretApiKeySecretRef` with the namespace where the secret resides. To find your serviceURL, under your Secrets Manager resource, go to "Endpoints" on the left. Note: Use the url without the `/api` suffix that is presented in the UI. diff --git a/docs/provider-oracle-vault.md b/docs/provider-oracle-vault.md index af316c96b..dcb30888d 100644 --- a/docs/provider-oracle-vault.md +++ b/docs/provider-oracle-vault.md @@ -38,6 +38,7 @@ Be sure the `oracle` provider is listed in the `Kind=SecretStore`. {% include 'oracle-secret-store.yaml' %} ``` +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `privatekey` and `fingerprint` with the namespaces where the secrets reside. ### Creating external secret To create a kubernetes secret from the Oracle Cloud Interface secret a`Kind=ExternalSecret` is needed. diff --git a/docs/provider-webhook.md b/docs/provider-webhook.md index 79b4c5e01..482a92751 100644 --- a/docs/provider-webhook.md +++ b/docs/provider-webhook.md @@ -38,6 +38,8 @@ data: NB: This is obviously not practical because it just returns the key as the result, but it shows how it works +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in all `secrets` references with the namespaces where the secrets reside. + Now create an ExternalSecret that uses the above SecretStore: ```yaml @@ -107,14 +109,14 @@ spec: # Use this name to refer to this secret in templating, above - name: secretRef: - namespace: + namespace: # Only used in ClusterSecretStores name: # Add CAs here for the TLS handshake caBundle: caProvider: type: Secret or COnfigMap name: - namespace: + namespace: # Only used in ClusterSecretStores key: ``` diff --git a/docs/provider-yandex-lockbox.md b/docs/provider-yandex-lockbox.md index 8eb5cb4c9..b32f262f5 100644 --- a/docs/provider-yandex-lockbox.md +++ b/docs/provider-yandex-lockbox.md @@ -39,6 +39,7 @@ spec: key: authorized-key ``` +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in all `authorizedKeySecretRef` with the namespace where the secret resides. ### Creating external secret To make External Secrets Operator sync a k8s secret with a Lockbox secret: diff --git a/docs/snippets/provider-aws-access.md b/docs/snippets/provider-aws-access.md index af470eb28..2df65922e 100644 --- a/docs/snippets/provider-aws-access.md +++ b/docs/snippets/provider-aws-access.md @@ -50,6 +50,7 @@ spec: name: awssm-secret key: secret-access-key ``` +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` in `accessKeyIDSecretRef`, `secretAccessKeySecretRef` with the namespaces where the secrets reside. ### EKS Service Account credentials @@ -86,3 +87,4 @@ spec: serviceAccountRef: name: my-serviceaccount ``` +**NOTE:** In case of a `ClusterSecretStore`, Be sure to provide `namespace` for `serviceAccountRef` with the namespace where the service account resides. \ No newline at end of file diff --git a/docs/snippets/vault-approle-store.yaml b/docs/snippets/vault-approle-store.yaml index 306bc8874..65065ef44 100644 --- a/docs/snippets/vault-approle-store.yaml +++ b/docs/snippets/vault-approle-store.yaml @@ -21,5 +21,4 @@ spec: # Reference to a key in a K8 Secret that contains the App Role SecretId secretRef: name: "my-secret" - namespace: "secret-admin" key: "secret-id" diff --git a/docs/snippets/vault-jwt-store.yaml b/docs/snippets/vault-jwt-store.yaml index 3f0ac9220..a06a5eded 100644 --- a/docs/snippets/vault-jwt-store.yaml +++ b/docs/snippets/vault-jwt-store.yaml @@ -19,5 +19,4 @@ spec: role: "vault-jwt-role" secretRef: name: "my-secret" - namespace: "secret-admin" key: "jwt-token" diff --git a/docs/snippets/vault-kubernetes-store.yaml b/docs/snippets/vault-kubernetes-store.yaml index cdb1e1497..2dcc01957 100644 --- a/docs/snippets/vault-kubernetes-store.yaml +++ b/docs/snippets/vault-kubernetes-store.yaml @@ -22,10 +22,8 @@ spec: # of a kubernetes ServiceAccount serviceAccountRef: name: "my-sa" - namespace: "secret-admin" # Optional secret field containing a Kubernetes ServiceAccount JWT # used for authenticating with Vault secretRef: name: "my-secret" - namespace: "secret-admin" key: "vault" diff --git a/docs/snippets/vault-ldap-store.yaml b/docs/snippets/vault-ldap-store.yaml index 4358effe8..56cb747b9 100644 --- a/docs/snippets/vault-ldap-store.yaml +++ b/docs/snippets/vault-ldap-store.yaml @@ -19,5 +19,4 @@ spec: username: "username" secretRef: name: "my-secret" - namespace: "secret-admin" key: "ldap-password" diff --git a/docs/snippets/vault-token-store.yaml b/docs/snippets/vault-token-store.yaml index 947aca28f..ca979f285 100644 --- a/docs/snippets/vault-token-store.yaml +++ b/docs/snippets/vault-token-store.yaml @@ -14,5 +14,4 @@ spec: # https://www.vaultproject.io/docs/auth/token tokenSecretRef: name: "my-secret" - namespace: "secret-admin" key: "vault-token"